[Snort-users] 100% Outstanding - what does that mean?

Russ Combs rcombs at ...1935...
Mon Aug 9 11:14:57 EDT 2010


On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal at ...11827...> wrote:

> I just set up a new sensor and when checking its performance
> statistics, I am seeing a couple of the interfaces with Outstanding at
> 100%.  Here's the output from one of the interfaces:
>
> Aug  9 06:56:54 spock snort[1536]:
>
> ===============================================================================
> Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
> Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
> Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
> Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
> Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
> Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
> Aug  9 06:56:54 spock snort[1536]:    Injected:            0
> Aug  9 06:56:54 spock snort[1536]:
>
> ===============================================================================
>
> What exactly does that mean?  A google search shows a February email
> from Matt Watchinski saying, "Outstanding means that packets never got
> out of the ethernet card before they got dropped.  IE pcap didn't get
> to them before they disappeared."  But the README.counts in the 2.9.0
> beta documentation says "Outstanding indicates how many packets are
> buffered awaiting processing."  So I suppose I'm a bit confused.  If
> they're buffered, pcap has gotten to them, correct?  Can I see why
> 100% of them are buffered and not processing?
>

The DAQ changes things up a little with 2.9.0.  Which DAQ are you using and
how is it configured?



> Regards,
>
> Bryan
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100809/abf61877/attachment.html>


More information about the Snort-users mailing list